From f73575728fbc22d80582c8efea3cba2878de78e2 Mon Sep 17 00:00:00 2001
From: Livio Amstutz <livio.a@gmail.com>
Date: Mon, 27 Jan 2020 16:16:11 +0100
Subject: [PATCH] local allowed

---
 pkg/op/config.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/pkg/op/config.go b/pkg/op/config.go
index ee569aa..17e9781 100644
--- a/pkg/op/config.go
+++ b/pkg/op/config.go
@@ -3,6 +3,7 @@ package op
 import (
 	"errors"
 	"net/url"
+	"os"
 	"strings"
 )
 
@@ -30,7 +31,7 @@ func ValidateIssuer(issuer string) error {
 		return errors.New("host for issuer missing")
 	}
 	if u.Scheme != "https" {
-		if !(u.Scheme == "http" && (u.Host == "localhost" || u.Host == "127.0.0.1" || u.Host == "::1" || strings.HasPrefix(u.Host, "localhost:"))) { //TODO: ?
+		if devLocalAllowed(u) {
 			return errors.New("scheme for issuer must be `https`")
 		}
 	}
@@ -39,3 +40,15 @@ func ValidateIssuer(issuer string) error {
 	}
 	return nil
 }
+
+func devLocalAllowed(url *url.URL) bool {
+	_, b := os.LookupEnv("CAOS_OIDC_DEV")
+	if !b {
+		return b
+	}
+	return url.Scheme == "http" &&
+		url.Host == "localhost" ||
+		url.Host == "127.0.0.1" ||
+		url.Host == "::1" ||
+		strings.HasPrefix(url.Host, "localhost:")
+}